Course 3-Day 2 High-Tech Operator Certificate Program Course 3: Data Management.

Course 3-Day 2

High-Tech Operator Certificate Program Course 3: Data Management

Copyright © 2009 AWWA 2

Welcome Back & Review

Interfaces Between Systems & Applications

Networks & Network Components

In-house vs. Hosted Solutions

Web Site and Portal Functions and Features

Security Issues

Course Conclusion

Agenda – Day 2


This is day 2 of the third course in a series of three that leads to a High-Tech Operator Certificate.

Today we’ll look at interfaces between systems & applications, networks & their components, in-house vs. hosted solutions, web site & portal functions & features, and security issues.

Welcome Back


Before we begin, let’s review.

What did you learn yesterday?

Introduce yourself

Your name

Where you are from

Share one thing from yesterday that really stuck out for you

Introductions and Review


By the end of today, you will be able to:

Identify 4 common information silos

Describe functions of common network components

Identify benefits of client-server and ASP solutions

Distinguish between web sites and portals

Identify 3 of the common system security weaknesses

Goals







Security Issues

Course Conclusion

Agenda – Day 2


Currently: Disparate systems


Why is this a problem?

Inconsistent data

No cross-functional reports

Miss the big picture

Significant time spent collecting & analyzing data from multiple systems

Dependence on system owners to produce information

Inability to make timely decisions


What is the Solution?

Integrated Systems

Integrated Processes


Example Cross-Functional Processes and Systems

Process Related Systems

Purchasing CMMS, FIS

Work Orders CMMS, FIN, HR, GIS, SCADA

Customer Service CMMS, GIS

Customer Web Access CIS, GIS, CMMS

Budgeting FIS, HR, CMMS

Operations Management CMMS, FIN, HR, GIS, SCADA, CIS


Example Cross-Functional Business Process: Purchasing

Text

Text

Text

Text

Text

• Inventory Request

• Inventory Confirmation

• Purchase Order

• Payment

• Purchase Requisition

• Shipment Confirmation


Example Cross-Functional Business Process


Why Integrate?

Improved Customer Service

Improved Operational Efficiency

Cost Savings

Improved Management

Alignment with Strategic Goals


How do you get there?


What if it works?

Better oversight

Improved analytics/decision support

Cross-application data analysis

Assess customer demand for services

Plan for resources to match demand

More accountability

React to changes efficiently/effectively

Allows for proactivity


Less Cost/More Revenue

More efficient work staff

Increased productivity

Cost/unit reductions with better accuracy for planning and analysis

Lower transactional & service cost with the Web

Potential to eliminate maintenance on redundant systems


Operational Efficiency

Eliminate dual entry/redundancy

Improved data quality

Improved analytics

Improved decision making

Improved business processes

Ability to plan to meet demands

Streamline/unify approaches

Ability to take advantage of best practices


Improved Customer Service

Customers Greater information availability Better response time Fewer, more-effective interactions

Employees Real-time data Better access to information More information to answer questions Increased visibility of the whole business process


Alignment with Strategic Goals

Improve customer service level

More-effective policymaking

Leverage technology investment

Expand Web-based functionality


Summary

Disparate systems have negative effects on business

Integration leverages staffing and technology investments

Integration efforts must be planned

Integration can enable your workforce to make better decisions and be more efficient







Security Issues

Course Conclusion

Agenda – Day 2


What is a Network?

A group of interconnected computers

Can be defined by scale

Personal Area Network (PAN)

Local Area Network (LAN)

Campus Area Network (CAM)

Metropolitan Area Network (MAN)

Wide Area Network (WAN)

Can be defined by communication protocol


Networks

Personal Area Network

Communicates among devices close to one person, typically within 20-30 feet.

May be hardwired or wireless.

Local Area Network

Covers a small geographic area (home, office, or building).

Most likely uses Ethernet technology.

Operate at speeds up to 10 Gbit/s.


Campus Area Network

Connects two or more LANs

Limited to a specific & contiguous area

Metropolitan Area Network

Connects two or more LANs or CANs

Does not extend beyond the boundaries of the town, city, or metropolitan area

Networks (cont.)


Wide Area Network

Covers a relatively broad geographic area (i.e., one city to another and one country to another country)

Often uses transmission facilities provided by common carriers, such as telephone companies

Networks (cont.)


Intranet

Intranet

Set of interconnected networks

Uses the Internet Protocol and Web browsers

Under the control of a single administrative entity, allowing only specific users

Closed to the rest of the world


Extranet

Extranet

Limited in scope to a single organization

Has limited connections outside the organization to the networks of one or more other organizations or entities


Network Hardware

All networks are made up of basic hardware building blocks to interconnect network nodes, such as Network Interface Cards (NICs), Bridges, Hubs, Switches, and Routers. In addition, some method of connecting these building blocks is required, usually in the form of galvanic cable (most commonly Category 5 cable). Less common are microwave links (as in IEEE 802.11) or optical cable ("optical fiber").

http://en.wikipedia.org/wiki/Node_%28networking%29

http://en.wikipedia.org/wiki/Category_5_cable

http://en.wikipedia.org/wiki/IEEE_802.11

http://en.wikipedia.org/wiki/Optical_fiber


Network Hardware


Network Card

A network card, network adapter or NIC (network interface card) allows computers to communicate over a network.

It provides physical access to a networking medium.

It connects to the network either by using cables or wirelessly.


Repeater

A repeater is an electronic device that receives a signal, removes noise, and re-transmits it at a higher level or higher power, or onto the other side of an obstruction, so that the signal can cover longer distances without degradation.

Available for all network communication media (T1, Ethernet, fiber optic, wireless, etc.)


Hubs & Switches

A hub contains multiple ports. When a packet arrives at one port, it is copied to all the ports of the hub.

Switches are like hubs, but associate addresses to ports and send traffic for a specific address only to the associated port.


Routers

Routers are networking devices that forward data packets between networks using headers and forwarding tables to determine the best path to forward the packets.

Routers work at the network layer of the TCP/IP model. Routers also provide interconnectivity between like and unlike media.

A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP's network.







Security Issues

Course Conclusion

Agenda – Day 2


In-House or ASP?

Where do you want your software hosted?

If you run it in-house, the solution is usually referred to as a client-server system

Vendor-run applications are referred to as application service provider (ASP) solutions

Both options provide distinct advantages: consider which are more important to you


Client-Server Solutions

Most software is locally hosted - the application and data reside on your in-house server. This gives you the greatest control over every aspect of your applications.

Having this total control comes at a cost, though.

It takes considerable expertise and effort to maintain the document database and keep it secure.

It often requires significant expense for consultants and hardware.

It gives you the responsibility of making regular backups in case of a system crash.


ASP Solutions

ASP solutions are gaining popularity.

The application and data reside on the supplier's servers, and your staff gets access through a Web browser or client software.

The database is maintained by the vendor’s IT staff.

Multiple layers of firewalls and security, UPSs, fail-over and reliable backups are all part of the package.

The biggest risk of on-line solutions is that they require an active Internet connection.


Costs

With a client-server system, you pay a lump sum upfront to buy and set up the system, including software and servers.

With on-line providers, you pay a smaller setup fee and then ongoing monthly payments based on usage.


Consider In-house IT Capabilities

If you have in-house IT staff, a client-server solution may be your best option.

Smaller organizations with little to no computer expertise are probably better off choosing an on-line solution.


Consider Level of Customization

ASPs can easily make basic changes in appearance and functionality, giving you some control over the application.

If you need extensive customization and integration, client-server solutions provide more flexibility (but at a premium price).


Consider Security

If have documents that you are legally required to protect, an in-house solution gives you direct responsibility for them.

In many cases, though, ASPs can provide better security than you could in your own data center, through more layers of security and larger IT staffs.


Consider the Potential Problems

Being unable to access your documents through an ASP while your Internet connection is down

or

Losing data and time because your in-house server crashes

ASPASP







Security Issues

Course Conclusion

Agenda – Day 2


Why Use the Web?

Accessible from anywhere Internet access is available

Ability to set different permission levels

Can be made secure


Web Site

A web site is a collection of Web pages, images, videos or other digital assets that is hosted on one or more Web servers, usually accessible via the Internet.

A Web page is a document, typically written in HTML, that is almost always accessible via HTTP, a protocol that transfers information from the Web server for display in a Web browser.


Web Pages

The pages of web sites are usually accessed from a common root URL (a.k.a. URI): the homepage, and usually reside on the same physical server.

The URLs of the pages organize them into a hierarchy, although the hyperlinks between them control how the reader perceives the overall structure and how the traffic flows between the different parts of the sites.


Web Server

A web site is hosted on a computer system known as a web server (a.k.a. HTTP server).

A system runs software that retrieves and delivers the Web pages in response to requests from the web site users.

Apache and Microsoft’s Internet Information Server (IIS) are commonly used Web server applications.


Accessing Web Pages

Web sites are written in, or dynamically converted to, HTML and are accessed using a software interface called a user agent.

Web pages can be viewed or otherwise accessed from a range of computer-based and Internet-enabled devices, including desktop computers, laptop computers, PDAs and cell phones.

<html><head><title>Title goes here</title></head><body><h1 align=right>Body goes here</h1><hr><h3 align=center>Headings are cool!</h3><p><b>I can use text links... Visit <a href="http://www.davesite.com/">Dave's Site</a>!</b><hr width="50">and Image Links... <a href="http://www.davesite.com/"><img src="http://www.davesite.com/graphx/davesmll.gif"></a></p></body></html>


Accessing Web Pages (cont.)

A static web site is one that has Web pages stored on the server in the same form as the user will view them. They are edited using three broad categories of software: Text editors such as Notepad or TextEdit, where the HTML

is manipulated directly within the editor program WYSIWYG editors such as Microsoft FrontPage and

Adobe Dreamweaver, where the site is edited using a GUI interface and the underlying HTML is generated automatically by the editor software

Template-based editors, such as Rapidweaver and iWeb, which allow users to quickly create web sites by just picking a suitable template from a palette and adding pictures and text to it without ever having to see any HTML code.


Why a Portal?

It provides a centralized application that serves as a gateway to the other applications within the same enterprise:

To share the information across applications.

To have a single access point to all applications over the Internet.

To personalize the applications and have the coupled applications coordinated.

To have administrative tools all in a single place to administer all the applications.


Advantages of Using Portals

Intelligent integration and access to enterprise content, applications and processes.

Improved communication and collaboration among customers, partners, and employees.

Unified, real-time access to information held in disparate systems.

Consistent headers, footers, color schemes, icons & logos, which give the user a sense of consistency, uniformity, and ease of navigation

Personalized user modification and maintenance of the web site presentation.


Portal Tools

Web portals have tools to:

Manage data

Manage applications

Manage information

Personalize views

Integrate legacy applications

Handle thousands of user requests


Corporate Portals Capabilities

Managing workflows

Increasing collaboration between work groups

Allowing content creators to self-publish their information

Allowing internal and external access to specific information using secure authentication


What’s Hot

Microsoft's SharePoint Portal Server line of products have been gaining popularity among corporations for building their portals, partly due to the tight integration with the rest of the Microsoft Office products.

Portals and databases are offered as ASP solutions.







Security Issues

Course Conclusion

Agenda – Day 2


IT Security Fundamentals

IT Security affects and is integrated into many areas: Security Management Practices Access Control Security Models and Architecture Physical Security Telecommunications and Networking Security Cryptography Disaster Recovery and Business Continuity Law, Investigation, and Ethics Application and System Development Operations Security


What do you want to protect?

Sensitive Data Employee Payroll and other

personal information

SCADA point lists

CCTV locations

Network Diagrams

Spread-Spectrum Radio Hopping Patterns

Passwords, PIN Codes

Org Charts, Vacation Schedules

Sensitive Systems Finance and Billing Systems

Physical Security System

SCADA / Process Control Systems

Routers and Network Equipment

System Administrator Workstations, Laptops

Anything else you need to run your business…


System Vulnerabilities

Top 10 Control System Vulnerabilities


1. Inadequate security policies and procedures

Clash between operational culture & modern IT security methods.

Lack of appreciation of the risk involved with networking control systems.

Lack of adequate risk assessment.

No control system information security policy.

No auditing or enforcing of control system information security policy.


2. Inadequately designed defense-in-depth mechanisms

Emphasis on system availability and reliability, with security being an afterthought.

Insufficient investment to reengineer systems’ Web-based technology in accordance with appropriate risk assessment criteria.


3. Remote system access without appropriate access control

Inappropriate use of dial-up modems.

Use of commonly known passwords or no use of passwords.

Use of nonsecure control system connectivity to the corporate Local Area Network (LAN).

Allowing unauditable and nonsecured access by vendors for support.


4. Inadequate system admin mechanisms & software maintenance

Inadequate patch management.

Lack of appropriately applied real-time virus protection.

Inadequate account management.

Inadequate change control.

Inadequate software inventory.


5. Use of inadequately secured WiFi communication for control

Use of commercial off-the-shelf (COTS) consumer-grade wireless devices for control network data.

Use of outdated or deprecated security/encryption methods (e.g., WEP).


6. Use of nondedicated comm channels for command & control

Internet-based SCADA

Inappropriate use of control channels for noncontrol data. Asset management Power quality data files Metering Maintenance

Internet/Intranet connectivity initiated from control system networks. E-mail Web browsing File Sharing Instant Messaging


7. Lack of tools to detect and report inappropriate activity

Underutilized Intrusion Detection Systems (IDS)

Undermanaged network system

Implementation of immature Intrusion Prevention Systems (IPS)


8. Unauthorized apps or devices on control system networks

Unauthorized installation of additional software to control system devices (games, “weatherbug”, spyware).

Peripherals with noncontrol system interfaces (multi-function or multinetwork printers).

Nonsecure Web interfaces for control system devices.

Laptops.

USB memory.

Other portable devices (personal digital assistants [PDAs]).


9. Control systems command and control data not authenticated

Authentication for LAN-based control commands not implemented.

Immature technology for authenticated serial communications to field devices.


10. Inadequate critical support infrastructure

Inadequate uninterruptible power supply (UPS) or other power supply systems.

Inadequate or malfunctioning heating / ventilation / air conditioning (HVAC) systems.

Poorly defined “6-wall” boundary infrastructure (foam ceilings).

Insufficiently protected telecommunications infrastructure.

Inadequate or malfunctioning fire suppression systems. Lack of recovery plan. Insufficient testing or maintenance of redundant

infrastructure.


Threats – Outsiders

Groups Organized Crime “Hacktivists” Hacker Groups Foreign Intelligence Terrorists

Individuals Fraud / Scam Artists Curious Hackers Vandals


Threats – Insiders

Disgruntled:

Employees and Ex-Employees

Vendors and Ex-Vendors

“Gruntled” but overly curious:

Employees and Ex-Employees

Vendors and Ex-Vendors


Malware

Virus

Self-replicating

Trojan Horse

A “bad” program disguised as a “good” program

Spyware

From usage monitors to keyloggers and password-grabbers

Adware

You searched for product A and got pop-ups for competitor product B

“How did THAT get on MY computer?”

Weather monitors, custom cursors, screensavers, games, etc.

Once you have one, many more will follow…


Malware

Spam – Not the tasty Hormel kind…

“Legitimate” Unsolicited Commercial E-mail

“Adult” Web sites or services

Shady Sales Pitches from Forged IP addresses

“Rolex watches”, “Can you last 36 Hours”, “Hot stock tips”

Fraud and Phishing (more on this later)

You won the lottery!!!

Nigerian Oil Scam (aka 4-1-9 scam)

Pirated Software Products or Movies

Hidden Web “Bugs” in the Spam let the sender know you got it ok…

Not all spam will be caught by the spam filter (false negatives)

DON’T EVER, EVER, EVER REPLY TO SPAM OR CLICK ON ANYTHING IN THE MESSAGE

Recommend disabling “auto-preview” and “Preview Pane” in Outlook


Malware

EULA – End-User License Agreement The 30-page document that you didn’t read, but which

is legally binding and that you agreed to when you clicked “OK” (Kazaa, Gator / GAIN, Weatherbug, Screensavers)

You might have agreed to: Limit liability to company due to damages directly or indirectly

caused by the software Allow collection of data, including configuration information

and files Allow monitoring of activity, including Web surfing, e-mails,

user names, passwords, credit card numbers Allow installation of additional software without further

permission or notification


Malware

Symptoms

Computer running slow

Frequent crashes

Extra pop-ups

Slow network response time

Unfamiliar “Search Toolbars” Detection and Removal

Antivirus software for viruses but not spyware (EULA)

Free Spyware Detection such as Ad-Aware, Spybot Search & Destroy, Microsoft Anti-Spyware Beta

Commercial Spyware Detection


Social Engineering

Someone trying to get you to do something you shouldn’t do, or give them information you shouldn’t give out

Attacker will play on emotions with various tactics: Persuasion, Intimidation, Trust, Guilt, etc…

As technical controls are improved (firewalls, antivirus, etc.), social engineering becomes a more effective route


Social Engineering

“Hi, this is Mark over here at SCADA Masters. We’re consolidating your O&M documentation into a new format and I just wanted to verify that you guys are still using 142 for your hopping pattern…”

“This is Alan from Fruitdale Water District. We’re thinking about putting in a SCADA system and I was just wondering what you guys were using and how well it’s working out for you…”

“Hey, I’m sorry to bother you on a Friday – this will only take a second. I’m doing a survey for my Environmental Studies class and I wanted to ask you a few questions…”

“Could you fax me your org chart…?”


Social Engineering

From: Bob Stevens <[email protected]>

To: All Employees

Subject: Mandatory System Update

This is a mandatory system update to protect our employees from the recent Buster worm. Please click the following link to install this mandatory update:

https://intranetserver%40101%2e5%2e87%2e52/update05276.exe

Thanks,

Bob Stevens, System Administrator

(%40101%2e5%2e87%2e52 translates to @101.5.87.52)

mailto:[email protected]


Phishing

A type of social engineering that plays on fear

Almost always tries to get personal information

When in doubt, contact the supposed source directly (via phone or e-mail)

Never respond to or click on any part of the message

E-mail is like a postcard, anyone can easily forge the “from” address and make the message look real

Linked with virus spreaders and even organized crime

BE CAREFUL!!! Ask your system administrator!


Phishing


Fake lotteries

How to spot…

Did you enter in a lottery?

Do they tell you not to tell anyone?

Ar thier a lot of mispllled words or phrases uncommon?

Do they ask you to send them a copy of your passport or other identification, important documents, etc.

Is there a “processing fee”? Often this is the scam itself.

Do you think they would really just e-mail you about it?

If it sounds too good to be true…

If all else… Entering in foreign lotteries is illegal!!!


Fake lotteries

FROM: THE DESK OF THE E-MAIL PROMOTIONSMANAGER,INTERNATIONAL PROMOTIONS/PRIZEAWARD DEPARTMENT MICROSOFT LOTTERY,UNITED KINGDOM. 61-70 Southampton Row,Bloomsbury, London, United Kingdom, WC1B 4ARMR. GABRIEL MARTINSPHONE #:+44 703-194-3199

REF NO: MSW-L/200-26937BATCH: 2005MJL-01

ELECTRONIC MAIL AWARD WINNING NOTIFICATION. AWARD PRESENTATION CENTER: UNITED KINGDOM

We are pleased to inform you of the announcement today of winners of the MSW MEGA JACKPOT LOTTO WINNINGS PROGRAMS held on 2nd SEPTEMBER 2005.Your company or your personal e-mail address, is attached to winning number 20-12DEC-2004-02MSW, With serial number S/N-00168 drew the lucky numbers 887-13-865-37-10-83, and consequently won in the first lottery category.

You have therefore been approved for lump sums pay out of GBP5,500,000.00 POUNDS in cash Credited to file REF NO:MSW-L/200-26937 this is from total prize money of GBP 27,500,000.00 POUNDS, shared among the Twenty (5) international winners in this category….


Fraudulent or Illegal Offers

“Rolex” Watches Just like the street peddlers in New York sell…

Low-cost prescription drugs It is currently illegal to purchase prescription drugs without

a prescription and/or from overseas sources

Low-cost Adobe Photoshop / Microsoft Office Illegal pirate / bootleg copies

Low-cost DVD movies Same thing…

University “diploma” based on “experience” (and your $) This won’t be from an accredited university


4-1-9 / Nigerian Oil Scam

From: JAMES ZUPP [[email protected]]

Subject: YOUR UTMOST ASSISTANCE AND HUMBLE COOPERATION REQUIRED

Dearest one,

This letter might come to you as a surprise as we have not met before,but I believe that you would be compelled to help me after going through the contents of this letter. My name is Mr James Zupp,a divorcee, I am a Zimbabwean of German Origin.I am a farmer,or rather I was a farmer in Zimbabwe.Basically, I was involved in Agricultural production,until August 2002, when the government of Robert Mugabe decided to seize all farm-land(s) owned by whites in Zimbabwe (without compensation). He (Robert Mugabe) did not stop at that; he also went on to expel all White farmers in Zimbabwe.He employed the services of his war veterans to undertake this seizure. I used the services of a Diplomatic Courier Company to move this money (registered as official documents) out of Zimbabwe to Europe.At present, my money totalling US$15,750,000. (Fifteen million, seven Hundred and fifty thousand United States Dollars) is in Europe and hopefully, it would be paid into an offshore account. Can you help me? Are you trustworthy? Can you handle this money? Are you capable of handling this money? If you can, please contact me on:[email protected]

….


Types of Tests

Vulnerability (or Security) Assessment

Looking for all weaknesses

Audit

Assessing to specific and predefined standards

Penetration Test (or Penetration Study)

Looking to exploit at least one specific vulnerability to gain access to restricted resources or systems for demonstration purposes (“prove it!”)

RAM-W Methodology


AWWA RAM-W Methodology

Originally developed by Sandia National Labs

Expansion on RAM (Risk Assessment Methodology). The W stands for Water.

Now run by American Water Works Association

Process of identifying and prioritizing assets by pair-wise comparison and spreadsheets

Little focus on SCADA

Only focused on “loss” of assets, not misuse


Why do a Penetration Test?

Moving from the Theoretical to the Real World

Simulates a real “Hacker Attack”

If successful, provides unquestionable evidence that specific vulnerabilities exist

If unsuccessful, provides a reasonable level of assurance that networks and systems are secure at that time

Very powerful in its form and presentation

Can find weaknesses and design flaws that nobody ever thought about


What does a Penetration Test Entail?

Black Box (Blind Test) vs. White Box (Engineering Study) Customer knows in advance vs. Customer response is being evaluated Architecture Review External Pen-Test vs. Internal Pen-Test Background Research and Document Grinding Social Engineering IP-based Network Vulnerability Scanning Identification of misconfigured Items Exploitation of found vulnerabilities (usually scripting and C code!) Password guessing and cracking Dial-up Telephone Audit (wardialing) 802.11x Wireless Ethernet audit (wardriving) Goal achieved, time limit reached, or testing halted Final Report and Presentation to Upper Management Plan for Ongoing Remediation Activities and Follow-on Testing


Resources

Sans.org (Reading Room, Storm Center)

SecurityFocus.com (E-mail discussion lists)

US-CERT.gov (Alerts)

CERT.org (Alerts)

WaterISAC.org (Information Sharing)

ARIN.net WHOIS(Look up IP addresses)

Your System / Network Administrator

Course 3-Day 2 High-Tech Operator Certificate Program Course 3: Data Management.

Documents

Transcript of Course 3-Day 2 High-Tech Operator Certificate Program Course 3: Data Management.